diff options
author | Jörg Thalheim <Mic92@users.noreply.github.com> | 2018-01-02 14:58:45 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-01-02 14:58:45 +0100 |
commit | 310ad4345bbe42ae7360981243f6602a03fd232f (patch) | |
tree | 9f66918d121921845f35b5c5a0804f72a0937032 /nixos/modules | |
parent | 9057682839c0cae470ac4331f832cbe7b90362e3 (diff) | |
parent | f15fad898b3076eb758bad7e437ecae9dae7752f (diff) | |
download | nixlib-310ad4345bbe42ae7360981243f6602a03fd232f.tar nixlib-310ad4345bbe42ae7360981243f6602a03fd232f.tar.gz nixlib-310ad4345bbe42ae7360981243f6602a03fd232f.tar.bz2 nixlib-310ad4345bbe42ae7360981243f6602a03fd232f.tar.lz nixlib-310ad4345bbe42ae7360981243f6602a03fd232f.tar.xz nixlib-310ad4345bbe42ae7360981243f6602a03fd232f.tar.zst nixlib-310ad4345bbe42ae7360981243f6602a03fd232f.zip |
Merge pull request #30686 from gnidorah/keyring
pam: add optional pam_gnome_keyring integration
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/security/pam.nix | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 8d658a20a1fe..3fff9e78aa19 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -223,6 +223,17 @@ let ''; }; + enableGnomeKeyring = mkOption { + default = false; + type = types.bool; + description = '' + If enabled, pam_gnome_keyring will attempt to automatically unlock the + user's default Gnome keyring upon login. If the user login password does + not match their keyring password, Gnome Keyring will prompt separately + after login. + ''; + }; + text = mkOption { type = types.nullOr types.lines; description = "Contents of the PAM service file."; @@ -273,7 +284,7 @@ let # prompts the user for password so we run it once with 'required' at an # earlier point and it will run again with 'sufficient' further down. # We use try_first_pass the second time to avoid prompting password twice - (optionalString (cfg.unixAuth && (config.security.pam.enableEcryptfs || cfg.pamMount || cfg.enableKwallet)) '' + (optionalString (cfg.unixAuth && (config.security.pam.enableEcryptfs || cfg.pamMount || cfg.enableKwallet || cfg.enableGnomeKeyring)) '' auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth ${optionalString config.security.pam.enableEcryptfs "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} @@ -282,6 +293,8 @@ let ${optionalString cfg.enableKwallet ("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" + " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")} + ${optionalString cfg.enableGnomeKeyring + ("auth optional ${pkgs.gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so")} '') + '' ${optionalString cfg.unixAuth "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"} @@ -351,6 +364,8 @@ let ${optionalString (cfg.enableKwallet) ("session optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" + " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")} + ${optionalString (cfg.enableGnomeKeyring) + "session optional ${pkgs.gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start"} ${optionalString (config.virtualisation.lxc.lxcfs.enable) "session optional ${pkgs.lxcfs}/lib/security/pam_cgfs.so -c freezer,memory,name=systemd,unified,cpuset"} ''); |